nistec

Imports

Imports #

"errors"
"crypto/internal/fips140/nistec/fiat"
"crypto/internal/fips140/subtle"
"errors"
"sync"
"crypto/internal/fips140/nistec/fiat"
"sync"
"crypto/internal/fips140/nistec/fiat"
"crypto/internal/fips140/subtle"
"crypto/internal/fips140deps/byteorder"
"crypto/internal/fips140deps/cpu"
"errors"
"math/bits"
"sync"
"unsafe"
"crypto/internal/fips140deps/byteorder"
"errors"
"math/bits"
"runtime"
"unsafe"
"crypto/internal/fips140/nistec/fiat"
"crypto/internal/fips140/subtle"
"errors"
"sync"
"crypto/internal/fips140/nistec/fiat"
"crypto/internal/fips140/subtle"
"errors"
"sync"
_ "crypto/internal/fips140/check"
"errors"

Constants & Variables

_p224B var #

var _p224B *fiat.P224Element

_p224BOnce var #

var _p224BOnce sync.Once

_p256B var #

var _p256B *fiat.P256Element

_p256BOnce var #

var _p256BOnce sync.Once

_p384B var #

var _p384B *fiat.P384Element

_p384BOnce var #

var _p384BOnce sync.Once

_p521B var #

var _p521B *fiat.P521Element

_p521BOnce var #

var _p521BOnce sync.Once

p224ElementLength const #

p224ElementLength is the length of an element of the base or scalar field, which have the same bytes length for all NIST P curves.

const p224ElementLength = 28

p224GG var #

var p224GG *[96]fiat.P224Element

p224GGOnce var #

var p224GGOnce sync.Once

p224GeneratorTable var #

var p224GeneratorTable *[*ast.BinaryExpr]p224Table

p224GeneratorTableOnce var #

var p224GeneratorTableOnce sync.Once

p256CompressedLength const #

const p256CompressedLength = *ast.BinaryExpr

p256CompressedLength const #

const p256CompressedLength = *ast.BinaryExpr

p256ElementLength const #

const p256ElementLength = 32

p256ElementLength const #

const p256ElementLength = 32

p256GeneratorTables var #

p256GeneratorTables is a series of precomputed multiples of G, the canonical generator. The first p256AffineTable contains multiples of G. The second one multiples of [2⁶]G, the third one of [2¹²]G, and so on, where each successive table is the previous table doubled six times. Six is the width of the sliding window used in ScalarBaseMult, and having each table already pre-doubled lets us avoid the doublings between windows entirely. This table aliases into p256PrecomputedEmbed.

var p256GeneratorTables *[43]p256AffineTable

p256One var #

p256One is one in the Montgomery domain.

var p256One = p256Element{...}

p256P var #

p256P is 2²⁵⁶ - 2²²⁴ + 2¹⁹² + 2⁹⁶ - 1 in the Montgomery domain.

var p256P = p256Element{...}

p256Precomputed var #

p256Precomputed is a series of precomputed multiples of G, the canonical generator. The first p256AffineTable contains multiples of G. The second one multiples of [2⁶]G, the third one of [2¹²]G, and so on, where each successive table is the previous table doubled six times. Six is the width of the sliding window used in p256ScalarBaseMult, and having each table already pre-doubled lets us avoid the doublings between windows entirely. This table aliases into p256PrecomputedEmbed.

var p256Precomputed *[43]p256AffineTable

p256PrecomputedEmbed var #

p256PrecomputedEmbed is the precomputed table of P-256 basepoint multiples. See [p256Precomputed]. It's not embedded with go:embed because it's not supported within the FIPS module boundary.

var p256PrecomputedEmbed = [...]byte{...}

p256UncompressedLength const #

const p256UncompressedLength = *ast.BinaryExpr

p256UncompressedLength const #

const p256UncompressedLength = *ast.BinaryExpr

p256Zero var #

var p256Zero = p256Element{...}

p384ElementLength const #

p384ElementLength is the length of an element of the base or scalar field, which have the same bytes length for all NIST P curves.

const p384ElementLength = 48

p384GeneratorTable var #

var p384GeneratorTable *[*ast.BinaryExpr]p384Table

p384GeneratorTableOnce var #

var p384GeneratorTableOnce sync.Once

p521ElementLength const #

p521ElementLength is the length of an element of the base or scalar field, which have the same bytes length for all NIST P curves.

const p521ElementLength = 66

p521GeneratorTable var #

var p521GeneratorTable *[*ast.BinaryExpr]p521Table

p521GeneratorTableOnce var #

var p521GeneratorTableOnce sync.Once

Type Aliases

p224Table type #

A p224Table holds the first 15 multiples of a point at offset -1, so [1]P is at table[0], [15]P is at table[14], and [0]P is implicitly the identity point.

type p224Table [15]*P224Point

p256AffineTable type #

p256AffineTable is a table of the first 32 multiples of a point. Points are stored at an index offset of -1 like in p256Table, and [0]P is not stored.

type p256AffineTable [32]p256AffinePoint

p256AffineTable type #

p256AffineTable is a table of the first 32 multiples of a point. Points are stored at an index offset of -1 like in p256Table, and [0]P is not stored.

type p256AffineTable [32]p256AffinePoint

p256Element type #

p256Element is a P-256 base field element in [0, P-1] in the Montgomery domain (with R 2²⁵⁶) as four limbs in little-endian order value.

type p256Element [4]uint64

p256OrdElement type #

p256OrdElement is a P-256 scalar field element in [0, ord(G)-1] in the Montgomery domain (with R 2²⁵⁶) as four uint64 limbs in little-endian order.

type p256OrdElement [4]uint64

p256OrdElement type #

p256OrdElement is a P-256 scalar field element in [0, ord(G)-1] in the Montgomery domain (with R 2²⁵⁶) as four uint64 limbs in little-endian order.

type p256OrdElement [4]uint64

p256Table type #

p256Table is a table of the first 16 multiples of a point. Points are stored at an index offset of -1 so [8]P is at index 7, P is at 0, and [16]P is at 15. [0]P is the point at infinity and it's not stored.

type p256Table [16]P256Point

p256Table type #

type p256Table [16]P256Point

p384Table type #

A p384Table holds the first 15 multiples of a point at offset -1, so [1]P is at table[0], [15]P is at table[14], and [0]P is implicitly the identity point.

type p384Table [15]*P384Point

p521Table type #

A p521Table holds the first 15 multiples of a point at offset -1, so [1]P is at table[0], [15]P is at table[14], and [0]P is implicitly the identity point.

type p521Table [15]*P521Point

Structs

P224Point struct #

P224Point is a P224 point. The zero value is NOT valid.

type P224Point struct {
x *fiat.P224Element
y *fiat.P224Element
z *fiat.P224Element
}

P256Point struct #

P256Point is a P-256 point. The zero value is NOT valid.

type P256Point struct {
x fiat.P256Element
y fiat.P256Element
z fiat.P256Element
}

P256Point struct #

P256Point is a P-256 point. The zero value should not be assumed to be valid (although it is in this implementation).

type P256Point struct {
x p256Element
y p256Element
z p256Element
}

P384Point struct #

P384Point is a P384 point. The zero value is NOT valid.

type P384Point struct {
x *fiat.P384Element
y *fiat.P384Element
z *fiat.P384Element
}

P521Point struct #

P521Point is a P521 point. The zero value is NOT valid.

type P521Point struct {
x *fiat.P521Element
y *fiat.P521Element
z *fiat.P521Element
}

p256AffinePoint struct #

p256AffinePoint is a point in affine coordinates (x, y). x and y are still Montgomery domain elements. The point can't be the point at infinity.

type p256AffinePoint struct {
x fiat.P256Element
y fiat.P256Element
}

p256AffinePoint struct #

p256AffinePoint is a point in affine coordinates (x, y). x and y are still Montgomery domain elements. The point can't be the point at infinity.

type p256AffinePoint struct {
x p256Element
y p256Element
}

Functions

Add method #

Add sets q = p1 + p2, and returns q. The points may overlap.

func (q *P224Point) Add(p1 *P224Point, p2 *P224Point) *P224Point

Add method #

Add sets q = p1 + p2, and returns q. The points may overlap.

func (q *P521Point) Add(p1 *P521Point, p2 *P521Point) *P521Point

Add method #

Add sets q = p1 + p2, and returns q. The points may overlap.

func (q *P256Point) Add(p1 *P256Point, p2 *P256Point) *P256Point

Add method #

Add sets q = p1 + p2, and returns q. The points may overlap.

func (q *P256Point) Add(r1 *P256Point, r2 *P256Point) *P256Point

Add method #

Add sets q = p1 + p2, and returns q. The points may overlap.

func (q *P384Point) Add(p1 *P384Point, p2 *P384Point) *P384Point

AddAffine method #

AddAffine sets q = p1 + p2, if infinity == 0, and to p1 if infinity == 1. p2 can't be the point at infinity as it can't be represented in affine coordinates, instead callers can set p2 to an arbitrary point and set infinity to 1.

func (q *P256Point) AddAffine(p1 *P256Point, p2 *p256AffinePoint, infinity int) *P256Point

Bytes method #

Bytes returns the uncompressed or infinity encoding of p, as specified in SEC 1, Version 2.0, Section 2.3.3. Note that the encoding of the point at infinity is shorter than all other encodings.

func (p *P256Point) Bytes() []byte

Bytes method #

Bytes returns the uncompressed or infinity encoding of p, as specified in SEC 1, Version 2.0, Section 2.3.3. Note that the encoding of the point at infinity is shorter than all other encodings.

func (p *P256Point) Bytes() []byte

Bytes method #

Bytes returns the uncompressed or infinity encoding of p, as specified in SEC 1, Version 2.0, Section 2.3.3. Note that the encoding of the point at infinity is shorter than all other encodings.

func (p *P224Point) Bytes() []byte

Bytes method #

Bytes returns the uncompressed or infinity encoding of p, as specified in SEC 1, Version 2.0, Section 2.3.3. Note that the encoding of the point at infinity is shorter than all other encodings.

func (p *P384Point) Bytes() []byte

Bytes method #

func (s *p256OrdElement) Bytes() []byte

Bytes method #

Bytes returns the uncompressed or infinity encoding of p, as specified in SEC 1, Version 2.0, Section 2.3.3. Note that the encoding of the point at infinity is shorter than all other encodings.

func (p *P521Point) Bytes() []byte

BytesCompressed method #

BytesCompressed returns the compressed or infinity encoding of p, as specified in SEC 1, Version 2.0, Section 2.3.3. Note that the encoding of the point at infinity is shorter than all other encodings.

func (p *P256Point) BytesCompressed() []byte

BytesCompressed method #

func (p *P384Point) BytesCompressed() []byte

BytesCompressed method #

func (p *P224Point) BytesCompressed() []byte

BytesCompressed method #

func (p *P521Point) BytesCompressed() []byte

BytesCompressed method #

func (p *P256Point) BytesCompressed() []byte

BytesX method #

BytesX returns the encoding of the x-coordinate of p, as specified in SEC 1, Version 2.0, Section 2.3.5, or an error if p is the point at infinity.

func (p *P256Point) BytesX() ([]byte, error)

BytesX method #

BytesX returns the encoding of the x-coordinate of p, as specified in SEC 1, Version 2.0, Section 2.3.5, or an error if p is the point at infinity.

func (p *P384Point) BytesX() ([]byte, error)

BytesX method #

BytesX returns the encoding of the x-coordinate of p, as specified in SEC 1, Version 2.0, Section 2.3.5, or an error if p is the point at infinity.

func (p *P224Point) BytesX() ([]byte, error)

BytesX method #

BytesX returns the encoding of the x-coordinate of p, as specified in SEC 1, Version 2.0, Section 2.3.5, or an error if p is the point at infinity.

func (p *P521Point) BytesX() ([]byte, error)

BytesX method #

BytesX returns the encoding of the x-coordinate of p, as specified in SEC 1, Version 2.0, Section 2.3.5, or an error if p is the point at infinity.

func (p *P256Point) BytesX() ([]byte, error)

Compute method #

Compute populates the table to the first 16 multiples of q.

func (table *p256Table) Compute(q *P256Point) *p256Table

Double method #

Double sets q = p + p, and returns q. The points may overlap.

func (q *P256Point) Double(p *P256Point) *P256Point

Double method #

Double sets q = p + p, and returns q. The points may overlap.

func (q *P521Point) Double(p *P521Point) *P521Point

Double method #

Double sets q = p + p, and returns q. The points may overlap.

func (q *P384Point) Double(p *P384Point) *P384Point

Double method #

Double sets q = p + p, and returns q. The points may overlap.

func (q *P256Point) Double(p *P256Point) *P256Point

Double method #

Double sets q = p + p, and returns q. The points may overlap.

func (q *P224Point) Double(p *P224Point) *P224Point

Negate method #

Negate sets p to -p, if cond == 1, and to p if cond == 0.

func (p *p256AffinePoint) Negate(cond int) *p256AffinePoint

Negate method #

Negate sets p to -p, if cond == 1, and to p if cond == 0.

func (p *P256Point) Negate(cond int) *P256Point

NewP224Point function #

NewP224Point returns a new P224Point representing the point at infinity point.

func NewP224Point() *P224Point

NewP256Point function #

NewP256Point returns a new P256Point representing the point at infinity point.

func NewP256Point() *P256Point

NewP256Point function #

NewP256Point returns a new P256Point representing the point at infinity.

func NewP256Point() *P256Point

NewP384Point function #

NewP384Point returns a new P384Point representing the point at infinity point.

func NewP384Point() *P384Point

NewP521Point function #

NewP521Point returns a new P521Point representing the point at infinity point.

func NewP521Point() *P521Point

P256OrdInverse function #

func P256OrdInverse(k []byte) ([]byte, error)

P256OrdInverse function #

func P256OrdInverse(k []byte) ([]byte, error)

Projective method #

func (p *p256AffinePoint) Projective() *P256Point

Rsh method #

Rsh returns the 64 least significant bits of x >> n. n must be lower than 256. The value of n leaks through timing side-channels.

func (s *p256OrdElement) Rsh(n int) uint64

ScalarBaseMult method #

ScalarBaseMult sets p = scalar * B, where B is the canonical generator, and returns p.

func (p *P224Point) ScalarBaseMult(scalar []byte) (*P224Point, error)

ScalarBaseMult method #

ScalarBaseMult sets r = scalar * generator, where scalar is a 32-byte big endian value, and returns r. If scalar is not 32 bytes long, ScalarBaseMult returns an error and the receiver is unchanged.

func (r *P256Point) ScalarBaseMult(scalar []byte) (*P256Point, error)

ScalarBaseMult method #

ScalarBaseMult sets p = scalar * generator, where scalar is a 32-byte big endian value, and returns r. If scalar is not 32 bytes long, ScalarBaseMult returns an error and the receiver is unchanged.

func (p *P256Point) ScalarBaseMult(scalar []byte) (*P256Point, error)

ScalarBaseMult method #

ScalarBaseMult sets p = scalar * B, where B is the canonical generator, and returns p.

func (p *P384Point) ScalarBaseMult(scalar []byte) (*P384Point, error)

ScalarBaseMult method #

ScalarBaseMult sets p = scalar * B, where B is the canonical generator, and returns p.

func (p *P521Point) ScalarBaseMult(scalar []byte) (*P521Point, error)

ScalarMult method #

ScalarMult sets r = scalar * q, where scalar is a 32-byte big endian value, and returns r. If scalar is not 32 bytes long, ScalarBaseMult returns an error and the receiver is unchanged.

func (r *P256Point) ScalarMult(q *P256Point, scalar []byte) (*P256Point, error)

ScalarMult method #

ScalarMult sets p = scalar * q, and returns p.

func (p *P224Point) ScalarMult(q *P224Point, scalar []byte) (*P224Point, error)

ScalarMult method #

ScalarMult sets p = scalar * q, and returns p.

func (p *P384Point) ScalarMult(q *P384Point, scalar []byte) (*P384Point, error)

ScalarMult method #

ScalarMult sets p = scalar * q, and returns p.

func (p *P521Point) ScalarMult(q *P521Point, scalar []byte) (*P521Point, error)

ScalarMult method #

ScalarMult sets r = scalar * q, where scalar is a 32-byte big endian value, and returns r. If scalar is not 32 bytes long, ScalarMult returns an error and the receiver is unchanged.

func (p *P256Point) ScalarMult(q *P256Point, scalar []byte) (*P256Point, error)

Select method #

Select sets q to p1 if cond == 1, and to p2 if cond == 0.

func (q *P384Point) Select(p1 *P384Point, p2 *P384Point, cond int) *P384Point

Select method #

Select selects the n-th multiple of the table base point into p. It works in constant time by iterating over every entry of the table. n must be in [0, 15].

func (table *p224Table) Select(p *P224Point, n uint8)

Select method #

Select selects the n-th multiple of the table base point into p. It works in constant time. n must be in [0, 16]. If n is 0, p is set to the identity point.

func (table *p256Table) Select(p *P256Point, n uint8)

Select method #

Select selects the n-th multiple of the table base point into p. It works in constant time. n can be in [0, 32], but (unlike p256Table.Select) if n is 0, p is set to an undefined value.

func (table *p256AffineTable) Select(p *p256AffinePoint, n uint8)

Select method #

Select sets q to p1 if cond == 1, and to p2 if cond == 0.

func (q *P256Point) Select(p1 *P256Point, p2 *P256Point, cond int) *P256Point

Select method #

Select sets q to p1 if cond == 1, and to p2 if cond == 0.

func (q *P521Point) Select(p1 *P521Point, p2 *P521Point, cond int) *P521Point

Select method #

Select sets q to p1 if cond == 1, and to p2 if cond == 0.

func (q *P256Point) Select(p1 *P256Point, p2 *P256Point, cond int) *P256Point

Select method #

Select sets q to p1 if cond == 1, and to p2 if cond == 0.

func (q *P224Point) Select(p1 *P224Point, p2 *P224Point, cond int) *P224Point

Select method #

Select selects the n-th multiple of the table base point into p. It works in constant time by iterating over every entry of the table. n must be in [0, 15].

func (table *p521Table) Select(p *P521Point, n uint8)

Select method #

Select selects the n-th multiple of the table base point into p. It works in constant time by iterating over every entry of the table. n must be in [0, 15].

func (table *p384Table) Select(p *P384Point, n uint8)

Set method #

Set sets p = q and returns p.

func (p *P256Point) Set(q *P256Point) *P256Point

Set method #

Set sets p = q and returns p.

func (p *P384Point) Set(q *P384Point) *P384Point

Set method #

Set sets p = q and returns p.

func (p *P256Point) Set(q *P256Point) *P256Point

Set method #

Set sets p = q and returns p.

func (p *P521Point) Set(q *P521Point) *P521Point

Set method #

Set sets p = q and returns p.

func (p *P224Point) Set(q *P224Point) *P224Point

SetBytes method #

SetBytes sets p to the compressed, uncompressed, or infinity value encoded in b, as specified in SEC 1, Version 2.0, Section 2.3.4. If the point is not on the curve, it returns nil and an error, and the receiver is unchanged. Otherwise, it returns p.

func (p *P224Point) SetBytes(b []byte) (*P224Point, error)

SetBytes method #

func (p *P384Point) SetBytes(b []byte) (*P384Point, error)

SetBytes method #

SetBytes sets s to the big-endian value of x, reducing it as necessary.

func (s *p256OrdElement) SetBytes(x []byte) (*p256OrdElement, error)

SetBytes method #

func (p *P256Point) SetBytes(b []byte) (*P256Point, error)

SetBytes method #

func (p *P256Point) SetBytes(b []byte) (*P256Point, error)

SetBytes method #

func (p *P521Point) SetBytes(b []byte) (*P521Point, error)

SetGenerator method #

SetGenerator sets p to the canonical generator and returns p.

func (p *P256Point) SetGenerator() *P256Point

SetGenerator method #

SetGenerator sets p to the canonical generator and returns p.

func (p *P256Point) SetGenerator() *P256Point

SetGenerator method #

SetGenerator sets p to the canonical generator and returns p.

func (p *P384Point) SetGenerator() *P384Point

SetGenerator method #

SetGenerator sets p to the canonical generator and returns p.

func (p *P521Point) SetGenerator() *P521Point

SetGenerator method #

SetGenerator sets p to the canonical generator and returns p.

func (p *P224Point) SetGenerator() *P224Point

affineFromMont method #

affineFromMont sets (x, y) to the affine coordinates of p, converted out of the Montgomery domain.

func (p *P256Point) affineFromMont(x *p256Element, y *p256Element)

boothW5 function #

func boothW5(in uint) (int, int)

boothW5 function #

func boothW5(in uint64) (uint8, int)

boothW6 function #

func boothW6(in uint) (int, int)

boothW6 function #

func boothW6(in uint64) (uint8, int)

bytes method #

func (p *P256Point) bytes(out *[p256UncompressedLength]byte) []byte

bytes method #

func (p *P521Point) bytes(out *[*ast.BinaryExpr]byte) []byte

bytes method #

func (p *P224Point) bytes(out *[*ast.BinaryExpr]byte) []byte

bytes method #

func (p *P384Point) bytes(out *[*ast.BinaryExpr]byte) []byte

bytes method #

func (p *P256Point) bytes(out *[p256UncompressedLength]byte) []byte

bytesCompressed method #

func (p *P256Point) bytesCompressed(out *[p256CompressedLength]byte) []byte

bytesCompressed method #

func (p *P224Point) bytesCompressed(out *[*ast.BinaryExpr]byte) []byte

bytesCompressed method #

func (p *P521Point) bytesCompressed(out *[*ast.BinaryExpr]byte) []byte

bytesCompressed method #

func (p *P384Point) bytesCompressed(out *[*ast.BinaryExpr]byte) []byte

bytesCompressed method #

func (p *P256Point) bytesCompressed(out *[p256CompressedLength]byte) []byte

bytesToLimbs function #

func bytesToLimbs(l *[4]uint64, b *[32]byte)

bytesX method #

func (p *P256Point) bytesX(out *[p256ElementLength]byte) ([]byte, error)

bytesX method #

func (p *P521Point) bytesX(out *[p521ElementLength]byte) ([]byte, error)

bytesX method #

func (p *P256Point) bytesX(out *[p256ElementLength]byte) ([]byte, error)

bytesX method #

func (p *P224Point) bytesX(out *[p224ElementLength]byte) ([]byte, error)

bytesX method #

func (p *P384Point) bytesX(out *[p384ElementLength]byte) ([]byte, error)

generatorTable method #

generatorTable returns a sequence of p384Tables. The first table contains multiples of G. Each successive table is the previous table doubled four times.

func (p *P384Point) generatorTable() *[*ast.BinaryExpr]p384Table

generatorTable method #

generatorTable returns a sequence of p224Tables. The first table contains multiples of G. Each successive table is the previous table doubled four times.

func (p *P224Point) generatorTable() *[*ast.BinaryExpr]p224Table

generatorTable method #

generatorTable returns a sequence of p521Tables. The first table contains multiples of G. Each successive table is the previous table doubled four times.

func (p *P521Point) generatorTable() *[*ast.BinaryExpr]p521Table

init function #

func init()

init function #

func init()

isInfinity method #

isInfinity returns 1 if p is the point at infinity and 0 otherwise.

func (p *P256Point) isInfinity() int

limbsToBytes function #

func limbsToBytes(b *[32]byte, l *[4]uint64)

p224B function #

func p224B() *fiat.P224Element

p224CheckOnCurve function #

func p224CheckOnCurve(x *fiat.P224Element, y *fiat.P224Element) error

p224Polynomial function #

p224Polynomial sets y2 to x³ - 3x + b, and returns y2.

func p224Polynomial(y2 *fiat.P224Element, x *fiat.P224Element) *fiat.P224Element

p224Sqrt function #

p224Sqrt sets e to a square root of x. If x is not a square, p224Sqrt returns false and e is unchanged. e and x can overlap.

func p224Sqrt(e *fiat.P224Element, x *fiat.P224Element) (isSquare bool)

p224SqrtCandidate function #

p224SqrtCandidate sets r to a square root candidate for x. r and x must not overlap.

func p224SqrtCandidate(r *fiat.P224Element, x *fiat.P224Element)

p256Add function #

p256Add sets res = x + y.

func p256Add(res *p256Element, x *p256Element, y *p256Element)

p256B function #

func p256B() *fiat.P256Element

p256BaseMult method #

func (p *P256Point) p256BaseMult(scalar *p256OrdElement)

p256BigToLittle function #

func p256BigToLittle(l *p256Element, b *[32]byte)

p256CheckOnCurve function #

func p256CheckOnCurve(x *p256Element, y *p256Element) error

p256CheckOnCurve function #

func p256CheckOnCurve(x *fiat.P256Element, y *fiat.P256Element) error

p256Equal function #

p256Equal returns 1 if a and b are equal and 0 otherwise.

func p256Equal(a *p256Element, b *p256Element) int

p256FromMont function #

Montgomery multiplication by R⁻¹, or 1 outside the domain. Sets res = in * R⁻¹, bringing res out of the Montgomery domain. go:noescape

func p256FromMont(res *p256Element, in *p256Element)

p256Inverse function #

p256Inverse sets out to in⁻¹ mod p. If in is zero, out will be zero.

func p256Inverse(out *p256Element, in *p256Element)

p256LessThanP function #

p256LessThanP returns 1 if x < p, and 0 otherwise. Note that a p256Element is not allowed to be equal to or greater than p, so if this function returns 0 then x is invalid.

func p256LessThanP(x *p256Element) int

p256LittleToBig function #

func p256LittleToBig(b *[32]byte, l *p256Element)

p256MovCond function #

If cond is 0, sets res = b, otherwise sets res = a. go:noescape

func p256MovCond(res *P256Point, a *P256Point, b *P256Point, cond int)

p256Mul function #

Montgomery multiplication. Sets res = in1 * in2 * R⁻¹ mod p. go:noescape

func p256Mul(res *p256Element, in1 *p256Element, in2 *p256Element)

p256NegCond function #

If cond is not 0, sets val = -val mod p. go:noescape

func p256NegCond(val *p256Element, cond int)

p256OrdBigToLittle function #

func p256OrdBigToLittle(l *p256OrdElement, b *[32]byte)

p256OrdLittleToBig function #

func p256OrdLittleToBig(b *[32]byte, l *p256OrdElement)

p256OrdMul function #

Montgomery multiplication modulo org(G). Sets res = in1 * in2 * R⁻¹. go:noescape

func p256OrdMul(res *p256OrdElement, in1 *p256OrdElement, in2 *p256OrdElement)

p256OrdReduce function #

p256OrdReduce ensures s is in the range [0, ord(G)-1].

func p256OrdReduce(s *p256OrdElement)

p256OrdSqr function #

Montgomery square modulo org(G), repeated n times (n >= 1). go:noescape

func p256OrdSqr(res *p256OrdElement, in *p256OrdElement, n int)

p256PointAddAffineAsm function #

Point addition with an affine point and constant time conditions. If zero is 0, sets res = in2. If sel is 0, sets res = in1. If sign is not 0, sets res = in1 + -in2. Otherwise, sets res = in1 + in2 go:noescape

func p256PointAddAffineAsm(res *P256Point, in1 *P256Point, in2 *p256AffinePoint, sign int, sel int, zero int)

p256PointAddAsm function #

Point addition. Sets res = in1 + in2. Returns one if the two input points were equal and zero otherwise. If in1 or in2 are the point at infinity, res and the return value are undefined. go:noescape

func p256PointAddAsm(res *P256Point, in1 *P256Point, in2 *P256Point) int

p256PointDoubleAsm function #

Point doubling. Sets res = in + in. in can be the point at infinity. go:noescape

func p256PointDoubleAsm(res *P256Point, in *P256Point)

p256Polynomial function #

p256Polynomial sets y2 to x³ - 3x + b, and returns y2.

func p256Polynomial(y2 *p256Element, x *p256Element) *p256Element

p256Polynomial function #

p256Polynomial sets y2 to x³ - 3x + b, and returns y2.

func p256Polynomial(y2 *fiat.P256Element, x *fiat.P256Element) *fiat.P256Element

p256ScalarMult method #

func (p *P256Point) p256ScalarMult(scalar *p256OrdElement)

p256Select function #

p256Select sets res to the point at index idx in the table. idx must be in [0, 15]. It executes in constant time. go:noescape

func p256Select(res *P256Point, table *p256Table, idx int)

p256SelectAffine function #

p256SelectAffine sets res to the point at index idx in the table. idx must be in [0, 31]. It executes in constant time. go:noescape

func p256SelectAffine(res *p256AffinePoint, table *p256AffineTable, idx int)

p256Sqr function #

Montgomery square, repeated n times (n >= 1). go:noescape

func p256Sqr(res *p256Element, in *p256Element, n int)

p256Sqrt function #

p256Sqrt sets e to a square root of x. If x is not a square, p256Sqrt returns false and e is unchanged. e and x can overlap.

func p256Sqrt(e *fiat.P256Element, x *fiat.P256Element) (isSquare bool)

p256Sqrt function #

p256Sqrt sets e to a square root of x. If x is not a square, p256Sqrt returns false and e is unchanged. e and x can overlap.

func p256Sqrt(e *p256Element, x *p256Element) (isSquare bool)

p256Square function #

p256Square sets e to the square of x, repeated n times > 1.

func p256Square(e *fiat.P256Element, x *fiat.P256Element, n int)

p384B function #

func p384B() *fiat.P384Element

p384CheckOnCurve function #

func p384CheckOnCurve(x *fiat.P384Element, y *fiat.P384Element) error

p384Polynomial function #

p384Polynomial sets y2 to x³ - 3x + b, and returns y2.

func p384Polynomial(y2 *fiat.P384Element, x *fiat.P384Element) *fiat.P384Element

p384Sqrt function #

p384Sqrt sets e to a square root of x. If x is not a square, p384Sqrt returns false and e is unchanged. e and x can overlap.

func p384Sqrt(e *fiat.P384Element, x *fiat.P384Element) (isSquare bool)

p384SqrtCandidate function #

p384SqrtCandidate sets z to a square root candidate for x. z and x must not overlap.

func p384SqrtCandidate(z *fiat.P384Element, x *fiat.P384Element)

p521B function #

func p521B() *fiat.P521Element

p521CheckOnCurve function #

func p521CheckOnCurve(x *fiat.P521Element, y *fiat.P521Element) error

p521Polynomial function #

p521Polynomial sets y2 to x³ - 3x + b, and returns y2.

func p521Polynomial(y2 *fiat.P521Element, x *fiat.P521Element) *fiat.P521Element

p521Sqrt function #

p521Sqrt sets e to a square root of x. If x is not a square, p521Sqrt returns false and e is unchanged. e and x can overlap.

func p521Sqrt(e *fiat.P521Element, x *fiat.P521Element) (isSquare bool)

p521SqrtCandidate function #

p521SqrtCandidate sets z to a square root candidate for x. z and x must not overlap.

func p521SqrtCandidate(z *fiat.P521Element, x *fiat.P521Element)

uint64IsZero function #

uint64IsZero returns 1 if x is zero and zero otherwise.

func uint64IsZero(x uint64) int

Generated with Arrow